Apple has revoked Facebook’s enterprise iOS developer certificate on the heels of a “Facebook Research” VPN app that was being distributed to consumers; the app paid teens and Millennial users in exchange for being able to track their phone and web activity, and has been available since 2016.
Apple said that the app’s consumer distribution was done in breach of the iPhone giant’s enterprise developer policies.
A Tuesday TechCrunch report uncovered that the social-media giant has been paying users (between the ages of 13 to 35) up to $20 a month to install the app, referred to as Project Atlas, on iOS or Android. The app gave Facebook full data access – including how and when users utilize the apps on their phone, their internet browsing history, and even screenshots of their Amazon order-history page, according to the report.
The report also alleged that Facebook appeared to have purposefully avoided Apple’s official beta-testing system, TestFlight, which reviews consumer apps before they’re them on the App Store — because it may have found the app in violation of Apple’s app data privacy policy. Instead, Facebook instead made use of Apple enterprise developer tools, said the report. It allegedly instructed users to download the app from an internal link (r.facebook-program.com), and then install an Enterprise Developer Certificate and VPN, giving Facebook root access to the data on their phone.
Apple said that this approach represents “a clear breach of [Facebook’s] agreement with Apple,” and has banned the app.
“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization,” Apple said in a media statement. “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
Apple has strict data-collection policies as part of its developer policies, which bar the collection of data about usage of other apps or data that’s not necessary for an app to function, as of June.
“Apps should only request access to data relevant to the core functionality of the app, and should only collect and use data that is required to accomplish the relevant task,” according to Apple’s policy.
According to the report, Facebook was also obfuscating its involvement; it alleges that the social network was working with three app beta-testing services (BetaBound, uTest and Applause) to advertise and distribute the app under the guise of something called “Project Atlas,” with no mention of the Facebook Research app until users clicked through on the ads. The app was also advertised on Snapchat and Instagram.
A Facebook spokesperson however told Threatpost that key facts about the market research program are being ignored.
“Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research app,” the spokesperson said. “It wasn’t ‘spying,’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission, and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
Neither Apple nor Android-owner Google responded to multiple requests for comment from Threatpost.
Ongoing Privacy Problems
Facebook has faced a barrage of critiques over the last year after its Cambridge Analytica scandal as data-privacy issues continue to plague the social-media company.
Earlier this year Facebook’s Onavo Protect app was barred from Apple’s App Store (although Onavo Protect’s website shows that the app is still available on Android). It was a similar case: Onavo Protect is a mobile VPN app that encrypts users’ personal information and monitors their data to help customers manage their mobile data usage and limit apps that use lots of data. However, the app was reporting to Facebook when a user’s screen was on or off as well as its cellular data usage.
As such, Apple said that the app violated its data policies.
Facebook confirmed to Threatpost that it pulled the app from Apple’s App Store, however: “We’ve always been clear when people download Onavo about the information that is collected and how it is used,” a spokesperson said. “As a developer on Apple’s platform, we follow the rules they’ve put in place.”
“Facebook is really at a crossroads here,” Theresa Payton CEO of cybersecurity consultancy Fortalice Solutions, told Threatpost. “It can continue to use business practices that satisfy their board’s and shareholder’s appetite for short term revenue to collect data from users without their knowledge, or it can step up and create a new revenue and privacy model that balances the needs of all stakeholders, including its users. This is about doing the right thing, but it’s also about Facebook’s ongoing relationship with its user base and longevity as a business. As consumers become more informed about how companies like Facebook are using their private information, they’re going to seek out networks that are more dedicated to transparency and to protecting their privacy.